Your SlideShare is downloading. ×
The International Comparative Legal Guide to: Data Protection 2014
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

The International Comparative Legal Guide to: Data Protection 2014

260
views

Published on

The International Comparative Legal Guide to: Data Protection 2014

The International Comparative Legal Guide to: Data Protection 2014

Published in: Law

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
260
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Data Protection 2014 The International Comparative Legal Guide to: BANNING Barrera, Siqueiros y Torres Landa, S.C. CMS Reich-Rohrwig Hainz Dittmar & Indrenius DLA Piper ECIJA ABOGADOS Eversheds Gilbert + Tobin Lawyers Herbst Kinsky Rechtsanwälte GmbH Hunton & Williams KALO & ASSOCIATES Koep & Partners Marrugo Rivera & Asociados, Estudio Jurídico Matheson Mori Hamada & Matsumoto Opice Blum, Bruno, Abrusio e Vainzof Advogados Associados Osler, Hoskin & Harcourt LLP Pachiu & Associates Pestalozzi Portolano Cavallo Studio Legale Raja, Darryl & Loh Subramaniam & Associates (SNA) Wigley & Company Wikborg, Rein & Co. Advokatfirma DA Published by Global Legal Group, with contributions from: A practical cross-border insight into data protection law 1st Edition
  • 2. General Chapter: 1 Data Protection – a Key Business Risk – Bridget Treacy, Hunton & Williams 1 www.ICLG.co.uk Disclaimer This publication is for general information purposes only. It does not purport to provide comprehensive full legal or other advice. Global Legal Group Ltd. and the contributors accept no responsibility for losses that may arise from reliance upon information contained in this publication. This publication is intended to give an indication of legal issues upon which you may need advice. Full legal advice should be taken from a qualified professional when dealing with specific situations. Further copies of this book and others in the series can be ordered from the publisher. Please call +44 20 7367 0720 The International Comparative Legal Guide to: Data Protection 2014 Contributing Editor Bridget Treacy, Hunton & Williams Account Managers Edmond Atta, Beth Bassett, Antony Dine, Susan Glinska, Dror Levy, Maria Lopez, Florjan Osmani, Paul Regan, Gordon Sambrooks, Oliver Smith, Rory Smith Sales Support Manager Toni Wyatt Sub Editors Nicholas Catlin Amy Hirst Editors Beatriz Arroyo Gemma Bridge Senior Editor Suzie Kidd Global Head of Sales Simon Lemos Group Consulting Editor Alan Falach Group Publisher Richard Firth Published by Global Legal Group Ltd. 59 Tanner Street London SE1 3PL, UK Tel: +44 20 7367 0720 Fax: +44 20 7407 5255 Email: info@glgroup.co.uk URL: www.glgroup.co.uk GLG Cover Design F&F Studio Design GLG Cover Image Source iStockphoto Printed by Ashford Colour Press Ltd. May 2014 Copyright © 2014 Global Legal Group Ltd. All rights reserved No photocopying ISBN 978-1-908070-98-2 ISSN 2054-3786 Strategic Partners Country Question and Answer Chapters: 2 Albania KALO & ASSOCIATES: Eni Kalo 7 3 Australia Gilbert + Tobin Lawyers: Peter Leonard & Ewan Scobie 15 4 Austria Herbst Kinsky Rechtsanwälte GmbH: Dr. Sonja Hebenstreit & Dr. Isabel Funk-Leisch 24 5 Belgium Hunton & Williams: Wim Nauwelaerts & Laura De Boel 34 6 Brazil Opice Blum, Bruno, Abrusio e Vainzof Advogados Associados: Renato Opice Blum 42 7 Canada Osler, Hoskin & Harcourt LLP: Adam Kardash & Bridget McIlveen 49 8 China Hunton & Williams LLP Beijing Representative Office: Manuel E. Maisog & Zhang Wei 57 9 Colombia Marrugo Rivera & Asociados, Estudio Jurídico: Ivan Dario Marrugo Jimenez 63 10 Finland Dittmar & Indrenius: Jukka Lång & Iiris Keino 69 11 France Hunton & Williams: Claire François 77 12 Germany Hunton & Williams: Dr. Jörg Hladjk & Johannes Jördens 85 13 India Subramaniam & Associates (SNA): Hari Subramaniam & Aditi Subramaniam 94 14 Ireland Matheson: John O’Connor & Anne-Marie Bohan 105 15 Italy Portolano Cavallo Studio Legale: Laura Liguori & Federica De Santis 115 16 Japan Mori Hamada & Matsumoto: Akira Marumo & Hiromi Hayashi 123 17 Kosovo KALO & ASSOCIATES: Loriana Robo & Atdhe Dika 132 18 Malaysia Raja, Darryl & Loh: Tong Lai Ling & Roland Richard Kual 140 19 Mexico Barrera, Siqueiros y Torres Landa, S.C.: Mario Jorge Yanez V. & Federico de Noriega O. 149 20 Namibia Koep & Partners: Hugo Meyer van den Berg & Chastin Bassingthwaighte 157 21 Netherlands BANNING: Monique Hennekens & Chantal Grouls 163 22 New Zealand Wigley & Company: Michael Wigley 175 23 Norway Wikborg, Rein & Co. Advokatfirma DA: Dr. Rolf Riisnæs & Dr. Emily M. Weitzenboeck 181 24 Romania Pachiu & Associates: Mihaela Cracea & Ioana Iovanesc 191 25 Slovenia CMS Reich-Rohrwig Hainz: Luka Fabiani & Ela Omersa 200 26 South Africa Eversheds: Tanya Waksman 210 27 Spain ECIJA ABOGADOS: Carlos Pérez Sanz 217 28 Switzerland Pestalozzi: Clara-Ann Gordon & Dr. Michael Reinle 226 29 United Kingdom Hunton & Williams: Bridget Treacy & Naomi McBride 234 30 USA DLA Piper: Jim Halpert & Kate Lucente 242
  • 3. EDITORIAL Welcome to the first edition of The International Comparative Legal Guide to: Data Protection. This guide provides the international practitioner and in-house counsel with a comprehensive worldwide legal analysis of the laws and regulations of data protection. It is divided into two main sections: One general chapter entitled Data Protection – a Key Business Risk. Country question and answer chapters. These provide a broad overview of common issues in data protection laws and regulations in 29 jurisdictions. All chapters are written by leading data protection lawyers and industry specialists and we are extremely grateful for their excellent contributions. Special thanks are reserved for the contributing editor Bridget Treacy of Hunton & Williams for her invaluable assistance. Global Legal Group hopes that you find this guide practical and interesting. The International Comparative Legal Guide series is also available online at www.iclg.co.uk. Alan Falach LL.M. Group Consulting Editor Global Legal Group Alan.Falach@glgroup.co.uk
  • 4. WWW.ICLG.CO.UKICLG TO: DATA PROTECTION 2014 © Published and reproduced with kind permission by Global Legal Group Ltd, London Chapter 19 149 Barrera, Siqueiros y Torres Landa, S.C. Mexico 1 Relevant Legislation and Competent Authorities 1.1 What is the principal data protection legislation? In Mexico, the Mexican Federal Constitution (Constitucíon Política de los Estados Unidos Mexicanos) provides the right of data protection and grants Congress the power to issue federal laws related to protection of personal information. In an effort to unify, clarify and extend data protection, and in compliance with its constitutional mandate to issue a federal data protection law, Congress enacted the Federal Law on Protection of Personal Data held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) (the “Data Protection Law”), which is the main data protection law in Mexico. The Data Protection Law was published in the Official Gazette of the Federation on July 5, 2010 and became effective on July 6, 2010. The Regulations of the Data Protection Law were published on December 21, 2011 (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares (the “Data Protection Regulations”)). Thereafter, the regulator issued on January 17, 2013 certain rules for drafting privacy notices (Lineamientos del Aviso de Privacidad) (the “Privacy Notice Guidelines”). In addition to the foregoing, the regulator has issued several recommendations and guidelines with respect to the appointment of data privacy officers and security measures. 1.2 Is there any other general legislation that impacts data protection? There are industry-specific laws that have an impact on data protection such as the Banking Law (Ley de Instituciones de Crédito), the Law for the Transparency and Order of Financial Services (Ley para la Tranparencia y Ordenamiento de los Servicios Financieros) and the Federal Law of Consumer Protection (Ley Federal de Protección al Consumidor). The Federal Copyright Law (Ley Federal del Derecho de Autor) also regulates ownership and use of databases. 1.3 Is there any sector specific legislation that impacts data protection? The consumer sector is directly impacted by the general data protection provisions in the Federal Law of Consumer Protection (Ley Federal de Protección al Consumidor) that contain some data privacy provisions. There are plenty of financial laws that impact data protection, including the Banking Law (Ley de Instituciones de Crédito), the Law for the Transparency and Order of Financial Services (Ley para la Tranparencia y Ordenamiento de los Servicios Financieros), the Investment Funds Law (Ley de Fondos de Inversión), and the Law to Protect and Defend the User of Financial Services (Ley para la Protección y Defensa del Usuario de Servicios Financieros). The Federal Copyright Law (Ley Federal del Derecho de Autor) contains some as well. 1.4 The Data Protection Law applies to every private party (natural person or entity) that collects, uses, transfers or stores Personal Data. What is the relevant data protection regulatory authority(ies)? The Federal Institute for Access to Public Information and Data Protection (Instituto Federal de Acceso a la Información Pública y Protección de Datos) (“IFAI”) has the authority, to investigate compliance and penalise infringements of personal data protection laws by both government agencies and private parties (the latter when violating the Data Protection Law). 2 Definitions 2.1 Please provide the key definitions used in the relevant legislation: “Consent” Expression of the will of the Data Owner by which data processing is enabled. “Data Controller” Individual or private legal entity that decides on the processing of personal data. “Data Owner” The natural person to whom the personal data corresponds. “Data Processor” The natural person or entity that individually or jointly with other natural person(s) or entities processes the Personal Data on behalf of the Data Controller. “Dissociation” The procedure through which personal data cannot be associated with the data owner nor allow, by way of its structure, content or degree of disaggregation, identification thereof. Federico de Noriega O. Mario Jorge Yanez V.
  • 5. ICLG TO: DATA PROTECTION 2014WWW.ICLG.CO.UK © Published and reproduced with kind permission by Global Legal Group Ltd, London Mexico 150 Barrera, Siqueiros y Torres Landa, S.C. Mexico “Financial or Patrimonial Data” Financial and Patrimonial Data is mentioned as a concept but is not a defined term in the Data Protection Law. However, financial data has been recently defined in a resolution of the privacy regulator (Instituto Federal de Acceso a la Información Pública y Protección de Datos) [File PS.0004/13, Defendant: Seguros Banamex, S.A. de C.V.] as the credit history, revenues, expenses, bank accounts, insurance, bonds, bank services or any other data that is part of an individual’s estate. “Personal Data” Any information pertaining to a natural person that is identified or identifiable. “Public Access Source” Databases whose information may be accessed by any person, without further requirement except, where appropriate, the payment of a fee, in accordance with the Data Protection Regulations. “Processing” The collection, use, disclosure or storage of Personal Data by any means. Use includes access, management, exploitation, transfer or disposal of Personal Data. “Sensitive Personal Data” Personal Data touching on the most private areas of the data owner’s life, or which misuse might lead to discrimination or involve a serious risk for said data owner. In particular, sensitive data is considered that which may reveal items such as racial or ethnic origin, present and future health status, genetic information, religious, philosophical and moral beliefs, union membership, political views and sexual preference. “Third Party” A Mexican or foreign individual or legal entity other than the Data Owner or the Data Controller. 3 Key Principles 3.1 What are the key principles that apply to the processing of personal data? Consent The Data Controller shall obtain the consent of the Data Owner for processing his/her Personal Data for determined purposes. Data Quality The Data Controller shall process the exact, complete, correct, strictly necessary and updated Personal Data in order to achieve the purposes for which the data is processed. Information Prior to the collection and use of the Data Owner’s Personal Data, the Data Controller has to make available a privacy notice disclosing the purposes for which the data is being collected and meeting several other statutory requirements. Lawful basis for processing The Data Controller shall process Personal Data in accordance with national and international laws. Loyalty Data Controller has the obligation to process Personal Data privileging the protection of Data Owner’s interests and a reasonable expectation of privacy. Proportionality The Data Controller may only process Personal Data that is necessary, adequate and relevant for the purposes disclosed when collecting it, applying a minimisation criterion in accordance with such purposes. Purpose limitation Personal Data may only be processed to comply with the purposes disclosed in the privacy notices. Responsibility The Data Controller is liable and accountable for the Processing of Personal Data kept by the Data Controller as well as for the Personal Data shared with its Data Processors. 4 Individual Rights 4.1 What are the key rights that individuals have in relation to the processing of their personal data? Access to data Data Owners have the right to access their Personal Data and to review the privacy notice applicable to the processing of their Personal Data. Rectify data Data Owners have the right to rectify whenever their Personal Data is incomplete, out-dated or imprecise. Cancel data Data Owners have the right to cancel their Personal Data in case such data is not required for the purposes set forth in the privacy notice, or if such Personal Data is being used for purposes not consented to. Objection to data processing Data Owners have the right to object to the Processing of their Personal Data for purposes beyond what is necessary for the origination and maintenance of the relationship with the Data Controller. Revoke the consent or limit the use or disclosure of Personal Data Data Owners are entitled to, at any time, revoke the consent granted for the processing of their Personal Data or partially or completely limit the use or disclosure of it, for the purposes that are not necessary for the origination and maintenance of the legal relationship between the Data Controller and him/her, and be included in an exclusion list, for purposes such as requesting to not be contacted (i.e. marketing purposes). File complaints with relevant data protection authority(ies) Data Owners have the right to complain before the IFAI in case any private party does not answer his/her request to exercise access, rectification, cancellation, objection or revocation rights in the manner and within the term provided by the Data Protection Law and the Data Protection Regulations. 5 Registration Formalities and Prior Approval 5.1 In what circumstances is registration or notification required to the relevant data protection regulatory authority(ies)? (E.g., general notification requirement, notification required for specific processing activities.) The Data Protection Law does not provide any registration or notification to the data protection regulator.
  • 6. WWW.ICLG.CO.UKICLG TO: DATA PROTECTION 2014 © Published and reproduced with kind permission by Global Legal Group Ltd, London 151 Barrera, Siqueiros y Torres Landa, S.C. Mexico 5.2 On what basis are registrations/notifications made? (E.g., per legal entity, per processing purpose, per data category, per system or database.) Registrations and notifications are not applicable. 5.3 Who must register with/notify the relevant data protection authority(ies)? (E.g., local legal entities, foreign legal entities subject to the relevant data protection legislation, representative or branch offices of foreign legal entities subject to the relevant data protection legislation.) Registrations and notifications are not applicable. 5.4 What information must be included in the registration/notification? (E.g., details of the notifying entity, affected categories of individuals, affected categories of personal data, processing purposes.) Registrations and notifications are not applicable. 5.5 What are the sanctions for failure to register/notify where required? Registrations and notifications are not applicable. 5.6 What is the fee per registration (if applicable)? Registrations and notifications are not applicable. 5.7 How frequently must registrations/notifications be renewed (if applicable)? Registrations and notifications are not applicable. 5.8 For what types of processing activities is prior approval required from the data protection regulator? Prior approval from the data protection regulator is not required for any type of processing. 5.9 Describe the procedure for obtaining prior approval, and the applicable timeframe. Approval is not applicable. 6 Appointment of a Data Protection Officer 6.1 Is the appointment of a Data Protection Officer mandatory or optional? In accordance to the Data Protection Law, every Data Controller must appoint a person or department in charge of Personal Data (“Data Protection Officer” or “DPO”). The main functions of the DPO are to process requests from Data Owners about exercise of their access, rectification, cancellation, revocation and objection rights of privacy and to promote the protection of Personal Data within their companies or organisations. The Data Protection Law is relatively ambiguous with respect to the appointment of a DPO within an organisation and fails to provide specific criteria, methods or mechanisms for companies or organisations to follow for this purpose. The IFAI has published certain non-mandatory guidelines and recommendations for the appointment of the DPO. 6.2 What are the sanctions for failing to appoint a mandatory Data Protection Officer where required? The Data Protection Law does not provide a specific sanction for failing to appoint a DPO. 6.3 What are the advantages of voluntarily appointing a Data Protection Officer (if applicable)? This is not applicable since it is required to appoint a DPO. 6.4 Please describe any specific qualifications for the Data Protection Officer required by law. There are no specific qualifications for the DPO in the Data Protection Law. Pursuant to the recommendations of the IFAI, the following are a few of the ideal characteristics of the profile for a DPO: Experience in Personal Data protection or knowledge of the subject. Vision and leadership. Organisational and communication skills. Resource availability and exploitability. Due position and hierarchy within the entity. 6.5 What are the responsibilities of the Data Protection Officer, as required by law or typical in practice? Some of the specific duties/tasks of the DPO are the following: Setting forth and managing procedures for the reception, processing and timely attention of requests made by Personal Data Owners in the exercise of their access, rectification, cancellation and/or objection rights. Monitoring developments and changes in law regarding Personal Data protection and privacy that may affect the actions performed within the organisation at any given time and taking the necessary steps to adjust them. Drafting, publishing, delivering and executing Personal Data protection practices and policies within the organisation or otherwise adjusting the current ones with the applicable legal framework. Developing instruments to assess the efficiency and effectiveness of such practices and policies. Surveying and reviewing the internal procedures of the organisation regarding collection, use, exploitation, storage, cancellation, application and transfer of Personal Data in order to ensure its protection and strict compliance with the principles stated in the Data Protection Law. Coordinating and training the other areas or departments of the organisation for them to acknowledge the practices and policies issued as well as the compliance with such. Promoting internal and external data protection as well as taking on the position of Personal Data representative of the entity. Mexico
  • 7. ICLG TO: DATA PROTECTION 2014WWW.ICLG.CO.UK © Published and reproduced with kind permission by Global Legal Group Ltd, London Mexico 152 Barrera, Siqueiros y Torres Landa, S.C. Mexico 6.6 Must the appointment of a Data Protection Officer be registered/notified to the relevant data protection authority(ies)? The appointment does not need to be registered or notified with any data protection authorities. 7 Marketing and Cookies 7.1 Please describe any legislative restrictions on the sending of marketing communications by post, telephone, e-mail, or SMS text message. (E.g., requirement to obtain prior opt-in consent or to provide a simple and free means of opt-out.) The Data Protection Law and the Data Protection Regulations provide that processing for marketing, advertising or commercial promotion purposes needs to be expressly and specifically included as one of the “purposes of processing” in the privacy notice. Such rules provide the creation of exclusion lists, which are databases intended to record the refusal of the Data Owner concerning the processing of his/her personal data for marketing and/or offering and promoting goods, products and services by any physical or technological means. Consent is required but it may be implied consent. Therefore, it is an opt-out system. Opt-out mechanisms shall be expressly included in the privacy notice. The Federal Law of Consumer Protection (Ley Federal de Protección al Consumidor), sets forth rules aimed to protect private consumer data and data exchanged in consumer transactions and specifically in electronic transactions. It provides the registration of consumers on the Public Registry of Consumers, which will be integrated by a list of consumers that do not want to be contacted to receive any kind of marketing communications. Up to this date, the Public Registry of Consumers only allows to list a phone number to avoid receiving marketing phone calls. This law provides for an opt-out system. The Federal Law to Protect and Defend Users of Financial Services (Ley de Protección y Defensa al Usuario de Servicios Financieros), provides that financial institutions regulated thereunder shall not contact their consumers for marketing or advertising purposes when they have expressly asked not to be contacted or if they are registered in the no- call registry of the National Commission for the Defense of Financial Consumers. This law provides for an opt-out system. Federal Law of Transparency and Order of Financial Services (Ley Federal para la Transparencia y Ordenamiento de Servicios Financieros), provides that clients of banks and loan companies may only be contacted to offer them financial products if they expressly accepted to be contacted and only through their business address, phone or email. This law provides for an opt-in system. Credit Institutions Law (Ley de Instituciones de Crédito), includes rules protecting the use of information provided by bank consumers for advertising or marketing purposes without authorisation. Users of financial services may register their email addresses and phone numbers in order to avoid unwanted advertising. Regulatory Law of Credit Reporting Companies (Ley para Regular las Sociedades de Información Crediticia), provides that Credit Reporting Companies may not use the data contained in credit reports in marketing or advertising promotions. 7.2 Is the relevant data protection authority(ies) active in enforcement of breaches of marketing restrictions? The IFAI has been very active in the enforcement of data protection rules. Recently the IFAI has imposed severe fines ton diverse private parties, in particular the regulator has imposed fines on financial entities derived from infringement on marketing restrictions. 7.3 What are the maximum penalties for sending marketing communications in breach of applicable restrictions? A fine of up to 320,000 days of the minimum daily wage in Mexico City (approximately €1,200,000) may be imposed for sending unsolicited marketing communications. Fines may be doubled when dealing with Sensitive Data. 7.4 What types of cookies require explicit opt-in consent, as mandated by law or binding guidance issued by the relevant data protection authority(ies)? Currently neither the Data Protection Law nor the Data Protection Regulations provide the requirement of explicit opt-in consent for the collection of Personal Data through cookies. On the other hand, the Privacy Notice Guidelines provide that in case the Data Controller uses mechanisms through remote or local electronic means that allow automatic collection of Personal Data, Data Controllers shall inform the Data Owner conspicuously about the use of such technologies and the manner to disable such methods. 7.5 For what types of cookies is implied consent acceptable, under relevant national legislation or binding guidance issued by the relevant data protection authority(ies)? Please see answer above. 7.6 To date, has the relevant data protection authority(ies) taken any enforcement action in relation to cookies? Currently, we have no notice of any sanction or proceeding initiated by the regulator regarding to this matter. 7.7 What are the maximum penalties for breaches of applicable cookie restrictions? By the interpretation of the Data Protection Law, consent being an essential principle protected by the law, if a Data Controller collects and processes Personal Data without consent or without informed consent (i.e., failing to include cookie warnings), a Data Controller maybe sanctioned with a fine from 200 to 320,000 days of the General Minimum Wage in Mexico City (approximately €750 to €1,200,000), and likewise, such fine may be doubled when dealing with Sensitive Data. 8 Restrictions on International Data Transfers 8.1 Please describe any restrictions on the transfer of personal data abroad. Personal Data may be transferred to third parties in Mexico or
  • 8. WWW.ICLG.CO.UKICLG TO: DATA PROTECTION 2014 © Published and reproduced with kind permission by Global Legal Group Ltd, London 153 Barrera, Siqueiros y Torres Landa, S.C. Mexico abroad as long as: (i) such transfer was disclosed in the privacy notice; (ii) the transferee receives a copy of the privacy notice; and (iii) the transferee uses the Personal Data for the purposes disclosed in the privacy notice. The privacy notice must contain a specific clause indicating that the Data Owner authorises transfer to third parties. The transferee or recipient shall be liable for the same obligations as those imposed on the Data Controller. Transfers may be made without the Data Owner’s consent when the transfer is: (i) required by law or an international treaty; (ii) required for medical treatment or services; (iii) to affiliates, subsidiaries or controlling companies; (iv) required by a contract to be executed or executed between the transferee and the Data Owner; (v) required for public interest or for administration of justice; (vi) required for the recognition, exercise or defence of a right in a judicial procedure; or (vii) required to maintain or perform an agreement between the Data Controller and the Data Owner. 8.2 Please describe the mechanisms companies typically utilise to transfer personal data abroad in compliance with applicable transfer restrictions. Companies typically execute a Data Transfer Agreement, which states all the responsibilities that the Data Controller and transferee will have in order to comply with the Mexican laws. 8.3 Do transfers of personal data abroad require registration/notification or prior approval from the relevant data protection authority(ies)? Describe which mechanisms require approval or notification, what those steps involve, and how long they take. There is no registration or notification requirement for data transfers. 9 Whistle-blower Hotlines 9.1 What is the permitted scope of corporate whistle-blower hotlines under applicable law or binding guidance issued by the relevant data protection authority(ies)? (E.g., restrictions on the scope of issues that may be reported, the persons who may submit a report, the persons whom a report may concern.) Whistle blowing is not expressly regulated by the Data Protection Law or the Data Protection Regulations, and currently the authority has not published any guidance related to this matter. Note, however, that whenever Personal Data is collected, processed and/or transferred, a privacy notice shall be provided by the Data Controller to the Data Owners prior his/her data Processing. 9.2 Is anonymous reporting strictly prohibited, or strongly discouraged, under applicable law or binding guidance issued by the relevant data protection authority(ies)? If so, how do companies typically address this issue? As mentioned on our answer above, whistle blowing is not expressly regulated by the Data Protection Law or the Data Protection Regulations and currently the authority has not published any guidance related to this matter. Typically, and for the purposes of a whistle-blowing system, companies inform its employees (on their Privacy Notice), that their Personal Data may be used for anonymous reporting and investigation or for the implementation of a whistle-blowing system. 9.3 Do corporate whistle-blower hotlines require separate registration/notification or prior approval from the relevant data protection authority(ies)? Please explain the process, how long it typically takes, and any available exemptions. There is no registration or notification requirement for whistle- blower hotlines. 10 CCTV and Employee Monitoring 10.1 Does the use of CCTV require separate registration/notification or prior approval from the relevant data protection authority(ies)? As mentioned before, Data Protection Law does not provide any registration or notification to the Data Protection Regulator. 10.2 What types of employee monitoring are permitted (if any), and in what circumstances? Employee monitoring is not regulated on the Data Protection Law. However, any methods used to collect Personal Data shall be informed to the Data Owners in the privacy notice. 10.3 Is consent or notice required? Describe how employers typically obtain consent or provide notice. Typically employers inform their employees of the collection of their Personal Data through the Privacy Notice. The form of consent varies depending on whether the Personal Data is Sensitive Data, Financial Data or any other data. If Sensitive Data is processed, expressly written consent is required. Express consent is required for the processing of Financial Data and implied consent is required for the processing any other Personal Data. In the case of CCTV systems, we understand that only ordinary Personal Data is collected, so implied consent is enough. The IFAI has issued some recommendations on short-form privacy notices to be used for CCTV systems. In the case of employee monitoring and collection of Sensitive Data or Financial Data, employers will require express written consent from the employee. 10.4 To what extent do works councils/trade unions/employee representatives need to be notified or consulted? No notice to unions or employees’ representatives is required. 10.5 Does employee monitoring require separate registration/notification or prior approval from the relevant data protection authority(ies)? Data Protection Law does not provide any registration or notification to the data protection regulator in this regard. Mexico
  • 9. ICLG TO: DATA PROTECTION 2014WWW.ICLG.CO.UK © Published and reproduced with kind permission by Global Legal Group Ltd, London Mexico 154 Barrera, Siqueiros y Torres Landa, S.C. Mexico 11 Processing Data in the Cloud 11.1 Is it permitted to process personal data in the cloud? If so, what specific due diligence must be performed, under applicable law or binding guidance issued by the relevant data protection authority(ies)? The Data Protection Regulations regulate cloud computing. The Data Protection Regulations provide that Data Controllers shall only contract cloud-computing services from a provider that meets the following requirements: (i) have policies and procedures similar to those contemplated by the Data Protection Law and the Data Protection Regulations; (ii) disclose the fact that it subcontracts third parties; (iii) not condition the service upon becoming the owner or acquiring any right over the Personal Data; (iv) maintain the confidentiality of Personal Data; and (v) have mechanisms to: (a) notify changes in their privacy policies; (b) allow the Data Controller to limit the processing of the Personal Data; (c) have security measures that are reasonable with respect to the service; (d) guarantee the cancellation of data once the service is terminated; and (e) block access to the Personal Data to those persons that do not have access privileges except when ordered by a competent authority and the Data Controller is informed of such order. The Data Protection Regulations state that Data Controllers shall not contract cloud-computing services that do not guarantee adequate data protection. 11.2 What specific contractual obligations must be imposed on a processor providing cloud-based services, under applicable law or binding guidance issued by the relevant data protection authority(ies)? Please refer to the answer above. 12 Big Data and Analytics 12.1 Is the utilisation of big data and analytics permitted? If so, what due diligence is required, under applicable law or binding guidance issued by the relevant data protection authority(ies)? Data Protection Law does not regulate the utilisation of big data or analytics and the IFAI has not issued any guidance on this matter. 13 Data Security and Data Breach 13.1 What data security standards (e.g., encryption) are required, under applicable law or binding guidance issued by the relevant data protection authority(ies)? Data Controllers shall adopt the security measures and procedures that are necessary to protect the Personal Data against damage, loss, alteration, destruction and unauthorised use, access or processing. These measures shall at least be equal to the measures that the Data Controller uses to protect its own information. Regarding to the foregoing, IFAI published on October 30, 2013 in the Official Gazette of the Federation the “Recommendations on Security of Personal Data”, in order to provide Data Controllers with some guidance with respect to the minimum actions considered necessary for the security of Personal Data. Adoption of the foregoing recommendations is voluntary and monitoring thereof does not exempt Data Controllers of their liability for any breach of their databases. In this regard, IFAI has expressed as a general recommendation to adopt a Security Management System of Personal Data (“SGSDP”), which the Institute has defined as a “general management system to establish, implement, operate, monitor, review, maintain and improve processing and security of personal data on the basis of the risk of the assets and of the basic principles of legality, consent, information, quality, purpose, loyalty, proportionality and liability provided for in the Data Protection Law, its regulations, secondary regulations and any other principle which provided good international practice in the matter”. The recommended SGSDP has four cycles with different phases and activities known as Plan-Do-Check-Act. 13.2 Is there a legal requirement to report data breaches to the relevant data protection authority(ies)? If so, describe what details must be reported, to whom, and within what timeframe. If no legal requirement exists, describe under what circumstances the relevant data protection authority(ies) expects voluntary breach reporting. Data Protection Law does not require the reporting or notification of data breaches to the IFAI. 13.3 Is there a legal requirement to report data breaches to individuals? If so, describe what details must be reported, to whom, and within what timeframe. If no legal requirement exists, describe under what circumstances the relevant data protection authority(ies) expects voluntary breach reporting. Yes. Data breaches need to be notified to the Data Owners but only those that significantly affect the patrimonial or moral rights of the Data Owners. Data Controllers must send the notice immediately after becoming aware of the data breach. The notification must include: (a) the nature of the incident; (b) the compromised data; (c) the recommendations to the Data Owners as to what measures he/she may take to protect his/her interests; (d) corrective actions taken by the Data Controller; and (e) how he/she can get more information on the matter. 14 Enforcement and Sanctions 14.1 Describe the enforcement powers of the data protection authority(ies): Investigatory Power Civil/Administrative Sanction Criminal Sanction Federal Institute for Access to Public Information and Data Protection (Instituto Federal de Acceso a la Información Pública y Protección de Datos; “IFAI”). Administrative Sanctions.
  • 10. WWW.ICLG.CO.UKICLG TO: DATA PROTECTION 2014 © Published and reproduced with kind permission by Global Legal Group Ltd, London 155 Barrera, Siqueiros y Torres Landa, S.C. Mexico 14.2 Describe the data protection authority’s approach to exercising those powers, with examples of recent cases. Infringements of the Data Protection Law are subject to sanctions by the regulator (administrative fines) and to civil and criminal liability by the corresponding authorities (mentioned above). Administrative fines may be from 100 to 320,000 times the daily minimum wage (approximately €375 to €1,200,000), and doubled when dealing with Sensitive Personal Data; criminal liability may also be found in the event of illegal handling of personal data. Precedents regarding sanctions applied to private parties are: (i) a bank infringed several provisions of the Data Protection Law arising from a request of exercise of access, rectification, cancellation and objection rights; the authority sanctioned the bank with a fine of €900,00 approx.; (ii) a sports club failed to include in its privacy notice the options and means by which the data owner could limit the use or disclosure of their personal data, and was sanctioned by our regulator with a fine of €72,000 approx.; and (iii) a savings bank that did not have a privacy policy and collected personal financial and economic data without the express consent of the Data Owner was sanctioned with a fine of €72,000 approx. 15 E-discovery / Disclosure to Foreign Law Enforcement Agencies 15.1 How do companies within Mexico respond to foreign e- discovery requests, or requests for disclosure from foreign law enforcement agencies? Mexican companies typically request that for any disclosure of Personal Data, such request shall be supported by a legal valid document or judicial order provided by the foreign competent authority and delivered through appropriate diplomatic or judicial channels. 15.2 What guidance has the data protection authority(ies) issued? The IFAI has failed to issue any guidance on this matter. Acknowledgment The authors would like to acknowledge the assistance of their colleague Rodrigo Méndez S. in the preparation of this chapter. Mexico Investigatory Power Civil/Administrative Sanction Criminal Sanction Public Prosecutor’s Office. Corporal penalties from six months to five years imprisonment. Civil Courts. Civil Sanctions (tort liability/claim of damages/honour and reputation).
  • 11. ICLG TO: DATA PROTECTION 2014WWW.ICLG.CO.UK © Published and reproduced with kind permission by Global Legal Group Ltd, London Mexico 156 Barrera, Siqueiros y Torres Landa, S.C. Mexico Mario Jorge Yanez V. Barrera, Siqueiros y Torres Landa, S.C. Paseo de Tamarindos 150 PB Bosques de las Lomas Mexico City, D.F., 05120 Mexico Tel: +52 55 5091 0165 Fax: +52 55 5091 0123 Email: mjyanez@bstl.mx URL: www.bstl.com.mx/en Mr. Yanez received his law degree at Universidad Nacional Autónoma de México (1986-1991), followed by a Masters degree at Columbia University in New York (1992-1993). Mr. Yanez has excelled in different practice areas like Mergers and Acquisitions; Foreign Trade (Anti-dumping Investigations and NAFTA Disputes); Environmental; Data Protection; Entertainment and Gaming; Nationality/Immigration. Mr. Yanez clerked at Barrera, Siqueiros y Torres Landa (BSTL) from 1988-1991, becoming a full-time associate in 1992. Mr. Yanez moved to the United States to earn his Masters degree at Columbia University (1992- 1993) and to occupy a foreign associate position at Vial, Hamilton, Koch & Knox LLP (Dallas, Texas; 1993-1994). Mr. Yanez returned to BSTL to resume his position as associate, becoming partner in 2000. Mr. Yanez has received recognitions from Chambers Global, Chambers Latin America, Latin America’s Leading Lawyers for Business, Latin Lawyer 250, and other publications. Mr. Yanez is admitted to practice law in Mexico. Mr. Yanez is also available at: Barrera, Siqueiros y Torres Landa, S.C., Av. Ricardo Margáin 444, Torre Norte, Mezzanine “A”, Valle del Campestre, San Pedro Garza Garcia, N.L., 66265, Mexico, Tel: +52 (81) 8220 1500, Fax: +52 (81) 8220 1529. Federico de Noriega O. Barrera, Siqueiros y Torres Landa, S.C. Paseo de Tamarindos 150 PB Bosques de las Lomas Mexico City, D.F., 05120 Mexico Tel: +52 55 5091 0154 Fax: +52 55 5091 0123 Email: fnoriega@bstl.mx URL: www.bstl.com.mx/en Mr. Noriega completed his law degree at Universidad Iberoamericana (2000-2005), followed by a Masters degree at Harvard Law School (2006-2007). Mr. Noriega’s areas of practice include Commercial Law, Mergers and Acquisitions, Corporate Financing and Data Protection. Mr. Noriega was a foreign associate at Sidley Austin LLP (New York office) in 2007 and 2008, after which he re-joined Barrera, Siqueiros y Torres Landa. Mr. Noriega elevated to partnership at BSTL in 2014. Mr. Noriega was awarded Academic Excellence by the Universidad Iberoamericana for scoring the Highest GPA of his class. Chambers & Partners Latin America 2012 and 2013 editions ranked Mr. Noriega as an “Associate to watch” in “Banking and Finance”. Mr. Noriega is admitted to practice law in Mexico and in the State of New York. BSTL is one of leading firms in Mexico with more than 65 years of experience. BSTL is a full-service firm with the necessary resources to meet the challenges our clients face in some of the most important transactions in their history as well as on a day- by-day basis. Moreover, the diversity of our firm allows us to provide comprehensive legal advice in any particular transaction, meeting all of our clients’ expectations. BSTL is well recognised by its clients, peers and local authorities for its work in several areas of practice, including privacy, corporate services, mergers and acquisitions, real estate, antitrust, arbitration and litigation and government procurement. Our privacy team has advised clients in issues related to compliance of general privacy laws and industry-specific privacy laws (labour, consumer-protection, financial and health laws). We analyse the data Processing activities carried out by our clients and provide business-oriented solutions.
  • 12. www.iclg.co.uk 59 Tanner Street, London SE1 3PL, United Kingdom Tel: +44 20 7367 0720 / Fax: +44 20 7407 5255 Email: sales@glgroup.co.uk Other titles in the ICLG series include: Alternative Investment Funds Aviation Law Business Crime Cartels & Leniency Class & Group Actions Competition Litigation Construction & Engineering Law Copyright Corporate Governance Corporate Immigration Corporate Recovery & Insolvency Corporate Tax Data Protection Employment & Labour Law Environment & Climate Change Law Franchise Insurance & Reinsurance International Arbitration Lending & Secured Finance Litigation & Dispute Resolution Merger Control Mergers & Acquisitions Mining Law Oil & Gas Regulation Patents Pharmaceutical Advertising Private Client Product Liability Project Finance Public Procurement Real Estate Securitisation Shipping Law Telecoms, Media & Internet

×